HP-UX Containers (SRP) A.03.00 Administrator's Guide

container basis. Use a recognizable identifier, such as the application name for the

instance_id parameter when deploying the custom template. When deploying multiple

applications within a container, consider applying the custom template (if needed) once per

application.

15.7 Limitations and disallowed operations

All users in a system container (including root) are prevented from performing the following list of

administrative tasks. These administrative tasks must be performed in the global view.

• Kernel configuration management

• Kernel tunable management

• System boot configuration

• Reading kernel memory

• Make kernel

• System crash configuration

• KRS (Kernel Registry Services)

• DLKM management

• Creating device files

• Changing system time

• Shutdown/reboot the physical system

• Swap space management

• Logical volume management

• Physical devices management

• Network interface card configuration

• IP Address configuration

• Network tunable configuration

• Compartment rule configuration

• Bypassing compartment rules using overriding privileges

• Enable/disable auditing

• Enable/disable accounting

• IPFilter configuration

• IPSec configuration

• SRP configuration

• Software installation (swinstall/swremove/swconfig)

In order to prevent the above disallowed operations, the following privileges (see privileges(5))

are disallowed in a system container. Commands and system calls performing the administrative tasks

disallowed in a system container will return an error.

Disallowed

Privilege

Description

Example

ACCOUNTING

Allows a process to control the process

accounting system

acct(1M), acctsh(1M)

AUDCONTROL

Allows a process to start, modify, and stop

the auditing system.

audsys(1M)